‘Viral inviters’ want your e-mail contact list

Several firms have recently sprung up that provide tools to copy e-mail and social-network contact lists from Outlook, Gmail, Hotmail, AOL, MySpace, Friendster, and other sites.

Web site operators who lure unsuspecting users into sharing their address lists can then send invitations to all the contacts in order to swipe even more private info.

The names of some of the contact-scraping tools — Viralinviter.com, TrafficXplode.com, and TheTsunamiEffect.com —hide their true purpose. They present themselves as list-builders for site owners and e-mail marketers, and are indeed used by many legitimate companies. But these tools are attractive to all kinds of sites, not just trustworthy ones. Sites that use contact-scraping tools can build e-mail lists in a way that puts your privacy and security at risk.

Subscribe and get our monthly bonuses - free!

The Windows 7 Guide, Volume 3: Advanced maintenance and troubleshooting provides advanced tools for keeping Microsoft's premier operating system up and running smoothly. Get this excerpt and other 4 bonuses if you subscribe FREE now!

You may have used an address-scraping tool already. Major social-networking sites such as Facebook, ShareThis, LinkedIn, and Plaxo offer a convenient way to build your initial “friends” list by importing your contacts from Outlook or other e-mail programs or by signing in to your webmail or social-networking service. The process is as easy as uploading a file or entering your user ID and password. (See Figure 1.)

Figure 1. Legitimate social-networking services — in this illustration, ShareThis.com — can create an initial friends list by importing contacts from an e-mail program or from Web services such as Gmail, Yahoo, MSN, AOL, AIM, and MySpace.

Viral inviter–type services take advantage of this familiarity by making their input forms look like those on the social-networking sites. (See Figure 2.)

Figure 2. The TrafficXplode service gives site owners an online form that scrapes contact lists from more than 20 popular webmail and social-networking sites.

Uploading a contact file or entering your ID and password into these forms, however, can transfer your password and/or all of your friends’ e-mail addresses to a company that may not have a strong privacy policy. How viral inviters overcome built-in suspicions “But wait,” you might say, “savvy Windows Secrets readers would never upload their address lists or enter their passwords, so they must be safe, right?”

That may be true of you and me, but it’s not the case for the population as a whole. Your friends, relatives, co-workers, and random classmates from 20 years ago could easily fall prey to this data-scraping scam — and they could be the ones surrendering your info.

Imagine that your 15-year-old daughter is a member of Facebook, MySpace, Twitter, and ShareThis. She also might be a subscriber to chat services such as AIM, Yahoo, Skype, and MSN. She’s used to sharing her address lists on social sites. That’s how the services work.

So when your daughter joins a new site — very likely having been invited by a friend to do so — and is asked to go through the exact same list-building process she’s familiar with from Facebook, she becomes easy prey. The viral scripts look just like their social-networking cousins.

A site may say that it won’t store passwords or misuse addresses, but such promises mean nothing to a spam operator. Phishing sites can do even more damage by simply emulating a well-known social network to lure users into logging in via phony e-mail invitations.

Spammers are famous for manipulating big sites to do the work for them. For example, blogger Dave Taylor describes a standard Plaxo address-update request he received that he would normally respond to without much thought.

However, this request had various bits of old and incorrect info and was obviously cobbled together from different sources, which roused his suspicions.

According to Taylor, “a spammer uploads as much data as is easily found on tens of thousands of people, then triggers Plaxo sending out an ‘update your contact information’ message. Clueless or overly busy people see the contact info, say ‘Whoa! Let’s update that, it’s way wrong,’ and never ask themselves if they actually know the person sending the request.”

David Lazarus of the Los Angeles Times has accused social-networking site Reunion.com of abusing e-mail contacts. The company’s aggressive marketing tactics require you to surrender your address list to join up, in most cases. The site then sends out invitations in your name to all your contacts. Since Reunion.com charges for membership, the more members it can sign up, the more it makes.

This is not to say that every site posting a form provided by a viral-inviter service is a scam. Most are just typical Internet marketers out to make a buck with their weight-loss secrets or self-help videos.

But address-scraping tools can be gold mines when put in the hands of identity thieves — and the scripts are available to any Web site operator. Web services can’t control what people share Why don’t the big sites slam the door on the scraping of their contact lists? It’s not that they aren’t trying, but when a user gives up his or her ID and password to a viral-invitation site, there’s not much the services can do.

Take Facebook. With more than 150 million members worldwide and a huge amount of data on every user, the site is a dream come true for spammers and identity thieves.

Facebook has an onerous end-user licensing agreement (EULA) that puts the liability for misuse of your account on you whenever you share your passwords or contacts. The EULA also prohibits the use of “automated scripts to collect information from or otherwise interact with the Service or the Site.”

Facebook seems to be fairly successful in its attempts to prevent scripts from accessing users’ data. For one thing, neither Viralinviter nor TrafficXplode currently claim to be able to scrape data from Facebook (although this ability was at one point claimed by TrafficXplode). This is probably because Facebook now presents address-book information in image form rather than text, which makes it harder to scrape.

Such techniques as cutting off users who make too many data requests in one session can also be effective. However, there’s nothing stopping a shady site from storing the IDs and passwords it acquires and using the data later for malicious purposes.

LinkedIn’s EULA has similar verbiage to Facebook’s. Unlike Facebook, however, LinkedIn doesn’t seem to actively prevent scripts from scraping its data. Viralinviter claims to work with LinkedIn accounts and even features the LinkedIn logo prominently on the Viralinviter site, along with logos of MSN, AOL, and others. Linked social networks accelerate the problem The arms race between the script builders and big-name Web services is just beginning. The massive data collections that the scrapers are able to accumulate are simply too valuable to pass up.

The problem will only get worse as social-networking sites create linked systems. For example, the Facebook Connect service that launched last year allows members to use their Facebook account to sign in to hundreds of third-party sites, such as CNET and MoveOn.org. (This is explained on a page listing Facebook Connect Live sites).

Facebook claims to vet each site before allowing it to join the Connect system, but as the list grows, it will be increasingly difficult for Facebook to control things. Google has a similar service called Friend Connect. (Google has posted its own explanation of the concept.)

Services such as these provide convenience, but when people become accustomed to entering their passwords on third-party sites, it’s only a matter of time before users encounter phishing sites, or worse. Even experienced users may be fooled in this way.

Dave Jevans, chairman of the Anti-Phishing Working Group, told me in an e-mail interview, “Malicious software and scripts that take advantage of social-networking sites or that scrape e-mail address books are a growing threat. Because these messages appear to come from a friend or colleague, the recipient usually trusts the contents.

“There have been outbreaks where over 1 million people have been affected in a short period of time,” according the Jevans. “These malicious systems can be used to drive users to advertising sites, thus driving ad revenue for the fraudsters. In some cases, they drive users to Web sites that install malicious software — malware or crimeware — onto their computers in order to steal passwords and credit card information.”

Jordy Berson, group product manager for Check Point’s Zone Alarm, echoes that sentiment. “Legitimate companies train us to use and trust their harvesting techniques, such as e-mail scraping,” Berson said in an e-mail, “but in the wrong hands, they are extremely dangerous for consumers — and stolen e-mail [addresses] are just the beginning.”

The bottom line: Assume your data can be scraped from any social-networking or webmail site, and plan accordingly. Prevent your data from being scraped Other than canceling all your social-networking accounts, what can you do to protect yourself against list scrapers?

First, be diligent about your own sign-in habits. Use strong passwords and enter them only on sites you trust. Also, make sure you have your browser’s phishing protection turned on. The LinkExtend Firefox extension recommended by WS senior editor Gizmo Richards in his Mar. 5 Best Software column (paid content) will alert you to most malicious site operators.

Second, safeguard your e-mail accounts. As emphasized earlier, the main danger is not that you will give away your own information but that your so-called friends will do it for you. Use your work e-mail address only for communicating with colleagues and clients, not for shopping or registering on social sites. Most importantly, don’t share your work address with friends and relatives.

Next, educate your contacts that you don’t want them handing over their e-mail files or contact lists to any site that asks. You can’t guarantee that everyone you know will comply, but there’s no reason to let scraping services go unchallenged.

Finally, protect your primary personal e-mail address by using disposable aliases that are forwarded to your primary account. That way, you can track who is sharing your address and delete any addresses that become spam magnets. Google’s Gmail and Yahoo Mail both make it easy to create throwaway e-mail addresses. (They work quite differently, however, as WS contributing editor Scott Dunn explained in his July 24, 2008, review of webmail services.)

The data-scraping problem will not go away any time soon, but taking steps to safeguard your personal data can help you keep the scrapers at bay.

Becky Waring has worked as a writer and editor for CNET, ZDNet, Technology Review, Upside Magazine, and many other news sources.

About Becky Waring

Becky Waring has worked as a writer and editor for CNET, ZDNET, Technology Review, Upside Magazine, and many other news sources. She alternates the Best Software column with Windows Secrets contributing editor Scott Spanbauer.

Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. The Windows Secrets series of books is published by Wiley Publishing Inc. The Windows Secrets Newsletter, WindowsSecrets.com, WinFind, Windows Gizmos, Security Baseline, Patch Watch, Perimeter Scan, Wacky Web Week, the Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of iNET Interactive. All other marks are the trademarks or service marks of their respective owners.